Currently I am using the rules in the localrules file as you see the msauth
are commented out. Both work for RDP logins however as I said I get a lot of
noise.
LocalRules.xml
<!-- Filter Workstation$ Logon -->
<rule id="100031" level="0">
<if_sid>18104</if_sid>
<match>SYSTEM: NT AUTHORITY:</match>
<description>Dont Log this</description>
</rule>
<!-- Remote Desktop Connection -->
<rule id="100032" level="11">
<if_sid>18104</if_sid>
<id>^4624|^4778|^1149</id>
<description>Remote Desktop Connection Established</description>
</rule>
</group> <!-- SYSLOG,LOCAL -->
Msauth.xml
<!-- Filter RDP ATHLON$
<rule id="18159" level="0">
<if_sid>18104</if_sid>
<regex>Account Name:ATHLON</regex>
<id>4624</id>
<group>authentication_success,</group>
<description>Remote access login success.</description>
</rule> -->
<!-- Filter RDP ATHLON$
<rule id="18160" level="0">
<if_sid>18105</if_sid>
<regex>Account Name:ATHLON</regex>
<id>4624</id>
<description>Windows Logon Success,</description>
<group>authentication_success,</group>
</rule> -->
<!-- RDP Access
<rule id="18161" level="8">
<if_sid>18104</if_sid>
<id>^682|^4778|^4624</id>
<description>Remote Desktop Connection Established</description>
<group>authentication_success,</group>
</rule> -->
</group>
<!-- EOF -->
From: [email protected] [mailto:[email protected]] On
Behalf Of dan (ddp)
Sent: Wednesday, October 09, 2013 6:08 PM
To: [email protected]
Subject: RE: [ossec-list] Re: RDP Alerts / msauth.xml
On Oct 9, 2013 6:06 PM, "Forums" <[email protected]> wrote:
>
> Even the code below still generates the email (noise) that I don't want to
see. I want to see an actual RDP logon from another person, which is
working. What I don't want is the actual machine$ account emailing me
machine connections.
>
Perhapa if we had samples of both kinds of logs it would be easier to help.
>
>
> From: [email protected] [mailto:[email protected]] On
Behalf Of Forums
> Sent: Tuesday, October 08, 2013 9:58 AM
> To: [email protected]
> Subject: RE: [ossec-list] Re: RDP Alerts / msauth.xml
>
>
>
> Does it matter that you have it in the local_rules and not the msauth?
Also are you getting the noise that I am talking about? Thanks.
>
>
>
> From: [email protected] [mailto:[email protected]] On
Behalf Of Derek Morris
> Sent: Tuesday, October 08, 2013 7:47 AM
> To: [email protected]
> Subject: [ossec-list] Re: RDP Alerts / msauth.xml
>
>
>
> In my local_rules.xml I have these entries, not sure if they will help:
>
>
>
> <rule id="100888" level="11">
>
> <if_sid>18104</if_sid>
>
> <id>^682|^4778|^1149</id>
>
> <description>Remote Desktop Connection Established</description>
>
> <group>sysadmin,</group>
>
> </rule>
>
>
>
> <rule id="100999" level="11">
>
> <if_sid>18104</if_sid>
>
> <id>^683|^4779</id>
>
> <description>Remote Desktop Connection Disconnected</description>
>
> <group>sysadmin,</group>
>
> </rule>
>
>
>
>
> On Monday, October 7, 2013 6:24:38 PM UTC-4, Gary White wrote:
>
> I have edited the msauth file so that I get an email alert when I or
anyone remote desktops into my windows machine. However I get several
PCname$ alerts as well and I think I need to <match> </match> another rule
to filter the unwanted logs out? here is what I have done:
>
>
>
> <!-- Filter This Out -->
> <rule id="18159" level="1">
> <category>windows</category>
> <if_sid>18104</if_sid>
> <match>Athlon$</match>
> <description>Remote access login success.</description>
> </rule>
>
>
>
>
>
> <!-- RDP Access Alert Working Fine -->
> <rule id="18160" level="8">
> <if_sid>18104</if_sid>
> <id>^682|^4778|^4624</id>
> <description>Remote Desktop Connection Established</description>
> <group>authentication_success</group>
> </rule>
> </group>
> <!-- EOF -->
>
> The 4778 event ID is for when someone has logged back into an already
established session, this works fine. What I also want is when someone logs
on creating a new RDP session (4624) however that also generates this email:
>
>
>
>
>
> OSSEC HIDS Notification.
>
> 2013 Oct 07 11:52:39
>
>
>
> Received From: (Athlon) 10.1.1.11->WinEvtLog
>
> Rule: 18160 fired (level 8) -> "Remote Desktop Connection Established"
>
> Portion of the log(s):
>
>
>
> WinEvtLog: Security: AUDIT_SUCCESS(4624):
Microsoft-Windows-Security-Auditing: ATHLON$: MYDOMAIN:
ATHLON.mydomain.local: An account was successfully logged on. Subject:
Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0
Logon Type: 3 New Logon: Security ID: S-1-5-18 Account Name: ATHLON$
Account Domain: MYDOMAIN Logon ID: 0x839f215b Logon GUID:
{666D9506-E849-14C7-8D3A-6550AE9EE889} Process Information: Process ID:
0x0 Process Name: - Network Information: Workstation Name: Source
Network Address: ::1 Source Port: 0 Detailed Authentication Information:
Logon Process: Kerberos Authentication Package: Kerberos Transited
Services: - Package Name (NTLM only): - Key Length: 0 This event is
generated when a logon session is created. It is generated on the computer
that was accessed.
>
>
>
> If anyone can point me in the right direction that would be great thanks.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected]
<mailto:ossec-list%[email protected]> .
> For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected]
<mailto:ossec-list%[email protected]> .
> For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected]
<mailto:ossec-list%[email protected]> .
> For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.